Provident Financial Group
- Banking, Finance & Financial Services
- Data Mapping Automation
- Vendor Risk Management
- PIA & DPIA Automation
Provident Financial Group Banks on OneTrust for Privacy Operations
Provident Finanial Group is a FTSE 250 company and one of the UK’s leading suppliers of personal credit products, focused on financial inclusion for those who are not well served by mainstream credit offerings or are excluded altogether. The group delivers this non-standard lending though their businesses units – Vanquis Bank, Provident Home Credit, Satsuma Loans and Moneybarn. With 5,700 employees serving 2.4 million customers, Provident understands the strong expectation of managing personal data properly, especially within the financial sector.
We believe that taking responsibility for what we do with personal data and demonstrating the steps we’ve taken to protect people’s rights not only results in better legal compliance, but also offers the business a competitive edge.Mike DronfieldChief Information Security Officer
Giving credit to a complex business challenge
Provident has recognized the importance of looking after customer data since it was founded in 1880, but the EU’s General Data Protection Regulation (GDPR) created new challenges for the business around properly managing their records of processing activity, vendor contracts, data subject access rights, and more.
“Before the GDPR went into effect, the privacy team set up workstreams to ensure we had a baseline level of compliance,” added Dronfield. “We soon realized that our processes were disparate and we needed a technology to automate operations and serve as a central repository for our data.”
Investing in a well-rounded solution to manage privacy compliance
Provident wanted to implement an easy-to-use privacy management technology that could serve as a singe source of truth for customer, employee and vendor information. After evaluating multiple vendors in the privacy technology space, Provident selected OneTrust for Data Mapping, Assessment Automation, Vendor Risk Management and Data Subject Rights Management.
OneTrust was primarily selected because of how business-focused the platform is. Not only is it user friendly and adaptable to meet specific business unit needs, but it provides an auditable view of data across the company, includes comprehensive reporting capabilities, and integrates seamlessly with our pre-existing technology providers.Mike DronfieldChief Information Security Officer
Combined, the OneTrust modules automate and support the following Provident initiatives: privacy impact assessments, personal data breach notification processes, third-party supplier due diligence, transfers outside of the EEA, retention schedule changes, legitimate interest assessments, individual rights, records of processing, as well as weekly and monthly reports.
Making OneTrust an integral part of business operations
To roll out the OneTrust platform, Provident hired Tara Halfpenny as its Data Protection Analyst and to serve as the chief subject matter expert for OneTrust within the business. In this role, Tara supports each of Provident’s divisional and group Data Protection Officers, as well as the divisional and Group CISOs in ensuring the OneTrust platform meets each business’ needs and demonstrates accountability and compliance under the GDPR and other regulatory obligations.
“Although I work across the whole business to support individuals in their daily use of OneTrust, there are also core teams that are higher-level users of the platform,” said Halfpenny. “These teams have more needs and requirements to help with their own accountability and compliance under the GDPR and other regulatory bodies.”
For example, Provident’s procurement team uses OneTrust VendorpediaTM as a central repository for all the information they hold on vendors and third-parties. The platform adds value to Provident’s vendor inventory, enabling faster assessment with risk mitigation workflows, ongoing monitoring, and powerful reporting to manage the entire vendor engagement lifecycle, from onboarding to offboarding.
Additionally, Provident has a dedicated Subject Rights Request team that works with the wider business to collect information in the OneTrust platform to help support customer and employee data subject access requests.
I love that the OneTrust tool is just so easy to use. With each new OneTrust product release, there are more and more capabilities that help me accomplish Provident’s privacy mission.Tara HalfpennyData Protection Analyst
Among Halfpenny’s favorite offerings, each OneTrust release has a dedicated platform upgrade webinar, so if users need more guidance and instruction, they can get a full demo and connect with the support team to ask questions. This is especially important in her role as she’s responsible for rolling the platform out to all departments company wide.
“The other thing about the platform is that I have the freedom to converse with the OneTrust team, including product managers, on what updates and improvements I would like to see in the tool. If OneTrust feels my feedback is useful, they almost always incorporate it into an upcoming release, so other customers and take advantage of it,” she added.
Coining privacy as an ongoing commitment
Since implementing OneTrust, Provident not only has a better understanding of how data is flowing throughout the company but made privacy a competitive advantage for their business.
Working with OneTrust has been an absolutely breeze. It's been really, really nice to be able to work with a team that feels like it’s your own. I love OneTrust and how it makes my life 100 times easier.Tara HalfpennyData Protection Analyst
Provident plans on rolling OneTrust out to more divisions within the business. From there, Halfpenny will help stakeholders mature their understanding of the platform and utilize OneTrust’s reporting capabilities to get more visibility into the business’s privacy posture.
“Our obligations to our customers are our main priority and with OneTrust we not only demonstrate our commitment to their data protection and privacy, but confidently improve our privacy practices to support compliance for current and future regulations,” concluded Dronfield.